none
AD Name Mappings - Default Accounts

    Вопрос

  • I was wondering if it is possible to do the following: I want users to present their client certificate for authentication.  If the certificate is properly mapped to an AD account (one-to-one), the user is logged in as that user.  If there is no corresponding account, the user is logged in as a "default" user. 

    I know it is possible to do the one to one mapping and the default account can be achieved by the many to one approach.  However, the mapping of the certificates are by the same organization.  So it seems that a particular user account would map to both the specific account and to the many to one account since the identifiers would be so close.

    Is there a way to tell AD, if an account exists one to one to use it, otherwise is the many to one is matched then use the default account?

    I hope that makes sense,

    Mark

    29 марта 2012 г. 20:18

Все ответы

  • I was wondering if it is possible to do the following: I want users to present their client certificate for authentication.  If the certificate is properly mapped to an AD account, the user is logged in as that user.  If there is no corresponding account, the user is logged in as a "default" user. 

    I know it is possible to do the one to one mapping and the default account can be achieved by the many to one approach.  However, the mapping of the certificates are by the same organization.  So it seems that a perticular user account would map to both the specific account and to the many to one account since the identifiers would be so close.

    Is there a way to tell AD, if an account exists one to one to use it, otherwise is the many to one is matched then use the default account?

    I hope that makes sense,

    Mark

    • Объединено Bruce-Liu 30 марта 2012 г. 8:27
    29 марта 2012 г. 19:50
  • Hello,

    you need to do a 2-factor authentication with Smartcard or RSA token for example. We use RSA with Citrix access gateways, so AD account and Token as second factor. Within the domain logon is possible with only the domain account.

    The security forum is here the better place to ask for options http://social.technet.microsoft.com/Forums/en/winserversecurity/threads


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    29 марта 2012 г. 19:59
  • I was wondering if it is possible to do the following: I want users to present their client certificate for authentication.  If the certificate is properly mapped to an AD account, the user is logged in as that user.  If there is no corresponding account, the user is logged in as a "default" user.

    Just need to make something clear: this is about client certificate authentication to Web server. You would like to implement one-to-one certificate mapping and have many-to-one mapping as the fall-back option If so, is the web server IIS, and which version?

    -= F1 is the Key =-

    29 марта 2012 г. 22:17
  • Please use Security forum and ask your question.

    Here is Security forum link:

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Предложено в качестве ответа AjayKumar sharma 29 марта 2012 г. 23:45
    29 марта 2012 г. 23:26
  • Actually it is using TMG 2010 with AD Name Mapping.   Windows Server 2008.

    Thanks

    Mark

    30 марта 2012 г. 12:53
  • Thanks.  I thought that is the forum I am in now. Mark

    30 марта 2012 г. 12:54
  • It appears Windows Server 2008 is working as follows:

    1. If a certificates maps directly to an account, the account is used.

    2. If a certificate does not map to aa specific account, but matches a wildcard, the wildcard account is used.

    Thanks everyone,

    Mark

    • Помечено в качестве ответа cdr_pfeifer 5 апреля 2012 г. 19:24
    5 апреля 2012 г. 19:24